Card testing: how it's done and how to prevent it

Card testing, also known as carding, occurs when a fraudster uses a merchant’s website to ‘test’ stolen credit card information to check if the card is valid. Fraudsters can purchase lists of credit card numbers on the Dark Web at a low cost but often do not know if the cards they are purchasing are active or valid. To test these cards, fraudsters often use bots and scripts to run many of these numbers through a merchant’s checkout page. If a transaction is approved, the fraudster knows that the card is valid and can make fraudulent (high-value) purchases elsewhere or commit other forms of credit card fraud.

To prevent card testing, you need to understand every step of the process. We're here to walk you through this process so you can ultimately know for sure who's testing or who's genuinely buying from you.

•  A glimpse into the dark web: we'll take you behind the scenes to understand cybercriminals' strategies - you'll be surprised by how crafty they can be.
• The real cost of card testing: this fraud can hit your profits and damage customer trust - we'll break down the impact for you.
• The solution is Know Your Users: to prevent card testing, you need to know your users inside out -we've got the tools to give you an X-ray view of their actions and intentions without affecting the experience of the good ones.

Fraudsters get someone's credit or debit card details and subsequently exploit this information to conduct fraudulent transactions. The card details are usually purchased from the dark web, but how do they get there in the first place?

The majority of credit cards that find their way to the dark web originate from compromised payment platforms, websites that suffered data breaches, or social engineering activities. In this chain, different groups have their own responsibility. One group steals the details, another manages distribution, and yet another handles purchases.

Before progressing to the point of using the card for transactions, fraudsters must check whether the card remains valid and if there are available funds in the linked account. A successful journey involves a thorough strategy that is applied over months sometimes. You might think that an active user with an operational account and a valid card would notice an unfamiliar transaction. However, fraudsters have their smart ways to literally fake it until they make it. Usually, their strategies unfold in three distinct stages, spanning from initial research to successfully making purchases using the tested card. Fraudsters follow a sequence, and they learn and get better as they progress through the following steps:

• collecting the resources to do the job
• setting certain methods according to the difficulty of doing the job
• imitating cardholder's behavior

Let's go through each stage to see how things work.

Gathering the resources

Several forums on dark web guide fraudsters into the process of card testing. Here, a menu of credit cards is up for grabs, each accompanied by its own unique collection of personal tidbits. There are the basics: the card number, CVV, and expiration date, backed by the owner's first and last names. A premium package might include the cardholder's home address, adding an extra layer of legitimacy. And for those aiming for the ultimate score, there's a jackpot package that throws in phone numbers, email addresses, and even the mother's maiden name. It's like data enrichment but for bad purposes.

Setting the methods

Online card testing is easier than the one done with physical cards. Replicating a plastic card requires professional tools and a considerable investment of time. For CNP transactions, where card details are key, the dark web offers a convenient shortcut. Online stores are everywhere, each displaying a range of stolen credit cards available for purchase.

Methods of card testing involve payments for acquiring either physical goods or digital items through unauthorized means. In the case of physical goods – usually luxury products or expensive electronics -, it's a rather complicated process with several potential pitfalls. Many stores have strict policies of delivering items exclusively to the address linked to the credit card. This would mean for the fraudsters to go to the store with plausible explanations, such as the item being a gift, for example. In other cases, items might not be shipped across borders. Some organized groups specialize in this logistical aspect, too. For instance, they rent spaces to collect packages, albeit at a higher cost.

On the other hand, digital goods like gift cards, game keys, and flight or concert tickets are more straightforward targets. These items are sent directly to email addresses, which simplifies the process. The only requirement is an email address – even a fictitious one can be generated and associated with a credit card for this purpose.

Imitating the cardholders behavior

This is a stage that we call 'the warm-up'. After the card is tested, the next step is not diving right into making a big purchase. To make everything seem legit, fraudsters mimick their victim's behavior, but for a successful attempt, they need more information from the victim, such as IP address, browser, or OS. The card testing is a phase towards online payment fraud. If executed successfully, fraudsters know they have a powerful instrument in their hands, which is a valid card that they can use on a shopping spree. There's more to do until they get there, but card testing is a good starting point for them.

Fraudsters are smart and creative enough to hide their tracks and spoof their data to seem like they are engaged in legitimate payments. The tactic of hiding so well is called network anonymization.

If a credit card is unexpectedly used in a distant location, and it doesn't display the same IP address, this sudden shift might trigger a transaction block as a protective measure. For this reason, fraudsters use quite an impressive set of tools to hide their identity, such as TOR, VPNs, VPS, DNS changers, IP Hiding Software, and many more. Generally, they use portable tools that don't leave any incriminating data on the computer to avoid detection, but also tools that clean everything after them, especially the browsing history or any temporary files.

With the right tools, cybercriminals can hide their identity, mimic legitimate user behavior, and cover their tracks with little to no fraud evidence left behind.

The consequences of credit card testing fraud boil down to the same bad outcome: revenue loss. Whether it comes from transaction declines, reputation damage, or chargebacks, you end up losing money and clients. Let's see the potential scenarios.

Authorization declines

When fraudsters attempt to validate stolen credit card details by making low-value transactions, the issuer detects such suspicious activity, and declines the transaction in order to safeguard the cardholder's funds. A payment authorization decline due to card testing is not entirely a bad thing, as it means fraudsters can't move further with a transaction, but you might still have to pay authorization fees imposed by card issuers. Also, of you experience a high frequency of authorization declines due to suspected fraudulent activity, this might trigger fraud risk flags associated with your operations operations.

Damaged reputation

There are two unfortunate scenarios if you don't detect card testing in time, however, the consequences are just the same as if you are a victim of online payment fraud or account takeover. First is the loss of your customers' trust and loyalty. If they learn that you are experiencing fraudulent activities, they may choose to take their business elsewhere.

The second scenario is worse, though. You may end up on those card networks programs that track reported fraud activity. If the instances of fraud exceed acceptable levels set by the scheme, you may be placed in a monitoring program, which means you can be subjected to fines and penalties apart from the bad label that you'll have to carry.

Chargebacks

After a well-prepared warm-up, fraudsters succeed in making a purchase, and while they wait for their goods to arrive, chargebacks are on your way. When customers notice successful payments notifications in their banking app that they were not aware of, they'll most likely contact the bank and this is how you get chargeback notifications. Let's say you have the means to prove your innocence, but you still have to pay the dispute fees. Also, there's still the risk of ending up in yet another card networks programs (on chargebacks this time), which often results in closer scrutiny of your payment processing activities, fees, and fines.

While your fraud prevention system is getting better at catching fraud, some real customers can also get caught up in the security net by mistake. You're catching some of the bad ones, but a few good ones might also get stuck.

Also, identifying compromised cards through dark web checks is good practice, but the reality is that there is a staggering number of stolen credit cards out there, and not all are actually monetized. Let's say that you get access to a list of compromised cards, and you'll be able to block them all in case they're trying something on your platform. But if you suddenly block all the cards from that list, you might accidentally block good users who want to buy from you. The cardholders might not even know their cards ended up in the wrong place. They could still be using them without any clue. If you block their cards, they'd be confused.

You can keep the smooth path for your legit users, while catching the bad ones, but for this, you need to know every tiny detail about your users to know exactly who to keep away. Let us show how we can catch for you even the most creative fraudsters with our risk detection solution, passively in the background and with no harm to UX.

As we mentioned, most fraudsters get away with crime by using VPNs, bots, click farms, and many other tools to hide and automate their card testing activities. As we depicted in the first part, we are aware of their tactics, so we can reverse-engineer them. We detect over 100 risks, on both desktop and mobile, but let's focus now on the most prevalent ones.

Shady VPNs

Fraud prevention companies can detect proxy and VPN connections originating from well-known services, such as NordVPN, ExpressVPN, and others alike. So, clever bad guys avoid these popular tools and use special ones that only they know about. At least, this is what they think because we know about them too. We don't depend on outdated lists that may not include the latest VPNs and proxies being used by fraudsters. Based on the the behavior of the Internet connection, we identify whether a connection is being made through a VPN or proxy, even if it doesn't match with the information on traditional lists.

Bots

To perform fraud at a large scale, bots are programmed to carry out card testing activities, such as attempting to make small purchases or testing the validity of a large number of stolen credit card details. We cover the largest attack surface when it comes to detecting bots. With AI-based fingerprinting, specific signals, and a thorough analysis of various data points, you can recognize non-human activities and make an informed decision about who to reject.

Behavioral biometrics

When users are asked to enter their card details, they usually do this via an autofill feature, especially if they enrolled in card-on-file or simply by typing in the required information. Bots or click farms copy and paste this information. Such behavioral biometrics on their own do not indicate a threat but based on past behavior and other signals, it can point out to fraud.

Our machine-learning technology spots hidden patterns that otherwise might not be easy to see and gives actionable recommendations in less than a second on whether to accept or reject a user, helping you to make the right choice. We can build for you ML models according to your needs and make them work for you without disrupting the user experience.

Keep up with creative fraudsters while protecting your good users! Book a call to learn how.